Bug 163514
| Summary: | newer yet outdated policy stops operation of mozilla-bin, yum, rhn-apllet, smbd ... | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Timms <dtimms> | ||||||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 3 | ||||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2005-07-20 15:57:45 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
The latest policy should be selinux-policy-targeted-1.17.30-3.19 Please upgrade to that. Created attachment 116915 [details] var/log/messages where audit is challenging winbindd OK, I note that the s-p-t installed is newer (larger=1.17.31-1) version, but rpm -q --info gives an older date(tweety compile in sept/oct 2004). rpm/yum think the installed one is newer, so a rpm -Uvh --oldpackage selinux-policy-targeted-1.17.30-3.19 got it installed. The machine was fresh installed in about December, and far as I know has had updates done using only yum (with the default fedora and updates-released repos). So it seems the newer kernel version showed up the fact that the incorrect s-p-t was installed, but I don't know whether this would happen to other machines. Server was rebooted this evening, and now all items above are allowed to do their thing. However, it seems that winbindd is now getting stopped. Also tried reinstalling policy (Uvh) and the kernel (-e , ivh), and reboot but hasn't fixed that. Is this the same as bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143564 (which is resolved with an older redhat 4 s-p-t 1.17.30-2-88) ? (see attachment if winbind is new). Are you running your own version of samba? The standard location for the the tdb file is under /var/cache/samba not /var/lib. Dan Created attachment 116964 [details]
winbind audit problems after correcting smb lock directory
rpm -q --info samba
..
Version : 3.0.14a Vendor: (none)
Release : 1 Build Date: Fri 15 Apr 2005 16:25:12 EST
Install Date: Sun 08 May 2005 00:36:28 EST Build Host: fc3.plainjoe.org
Group : System Environment/Daemons Source RPM: samba-3.0.14a-1.src.rpm
So no, not a redhat samba, but instead a fc3 build by samba.org. I confirm that
the package was compiled with default lock directory = /var/lib/samba
I also checked that the fc3 samba-common-3.0.10-1.fc3.i386.rpm definitely has a
default of /var/cache/samba as you describe. Hence you are correct diagnosis of
the secondary fault/problem! Thanks :)
Feel welcome to close the bug as invalid, although with this _different_ samba
corrected to use /var/cache/samba, the attached selinux audit logs show the
policy stopping winbindd from starting, but with different errors. winbind does
start up OK on a separate test machine with the samba-3.0.10-1 installed.
I still think you have a labeling problem. Those files that winbind is trying to access should not be labeled var_t, they should be in the /var/cache/samba tree and labeled samba_var_t. Please restorecon the /var tree restorecon -R -v /var Or do the entire system touch /.autorelabel reboot Created attachment 116981 [details]
audit denieds on winbindd after suggested fixes.
Dan, thanks very much for your help, I am still not quite there yet !
I'll mark this as resolved current release, since this later problem is really
unrelated to the bug title.
|
Description of problem: Various executables are being blocked by audit.. Version-Release number of selected component (if applicable): # rpm -qa|grep selin selinux-policy-targeted-1.17.31-1 libselinux-1.19.1-8 How reproducible: Boot with kernel-2.6.12-1.1372_FC3. Steps to Reproduce: 1. start with older kernel 11-27 (maybe earlier running) 2. yum update kernel 11-35? but not rebooted 3. yum update which got newer 12-1 kernel and se-p.-t. 4. reboot to new kernel. Actual results: following apps wont start, leaving tell-tale in /var/log/messages: Jul 18 18:33:49 server1 kernel: audit(1121675629.183:0): avc: denied { write } for pid=2955 exe=/usr/sbin/nscd name=nscd dev=sda9 ino=432867 scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=dir Jul 18 19:56:12 server1 kernel: audit(1121680551.622:3): avc: denied { write } for pid=2637 comm="nscd" name="nscd" dev=sda9 ino=432867 scontext=user_u:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=dir Jul 18 19:56:16 server1 kernel: audit(1121680576.855:5): avc: denied { name_connect } for pid=2960 comm="smbd" dest=631 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Jul 18 19:56:16 server1 smbd[2960]: Unable to connect to CUPS server localhost - Permission denied Jul 18 19:56:33 server1 kernel: audit(1121680593.696:7): avc: denied { name_connect } for pid=3835 comm="eggcups" dest=631 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Jul 18 19:56:52 server1 kernel: audit(1121680612.271:9): avc: denied { name_connect } for pid=3952 comm="rhn-applet-gui" dest=80 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:http_port_t tclass=tcp_socket Jul 18 19:56:52 server1 kernel: audit(1121680612.292:18): avc: denied { name_connect } for pid=3833 comm="rhn-applet-gui" dest=80 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:http_port_t tclass=tcp_socket Jul 18 20:02:54 server1 kernel: audit(1121680974.383:116): avc: denied { name_connect } for pid=4021 comm="mozilla-bin" dest=901 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Jul 18 20:03:14 server1 kernel: audit(1121680994.618:117): avc: denied { name_connect } for pid=3934 comm="gnome-panel" dest=16001 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=tcp_socket Expected results: The apps should run. Additional info: on request...tell me what you need.